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AMENDMENTS TO THE CLAIMS 

1 . (Currently Amended) A computer-implemented method of operating a reference 
monitor simulator to recreate operations performed by a reference monitor on a computer 
system, the method comprising: 

defining at least one security rule specifying whether to allow a request to access at 
least one resource; 

supplying at least one request to access a resource; 

applying the at least one security rule in response to the at least one request to 
access [[a]]the resource to determine whether to allow the at least one request and to control 
whether access is granted to the resource; and 

controlling the reference monitor simulator to operate at an accelerated rate as 
compared to an actual reference monitor by providing at least one parameter that defines a 
system environment in which the reference monitor simulator executes, 

where the at least one parameter includes a time parameter that controls one or 
more of, eliminating a time gap between trace requests, indicating that a time period 
between portions of a trace request has elapsed, and running a system clock faster than 
real-time, 

where the method being run, at least in part, as an event-driven kernel process. 

2. -5. (Canceled) 

6. (Previously Presented) The method of claim 1, comprising: 
assessing the effectiveness of the at least one security rule. 

7. (Previously Presented) The method of claim 6, wherein assessing the effectiveness 
of the security rule comprises determining at least one of, the number of improper access 
requests prevented, and the number of proper access requests allowed. 

8. (Previously Presented) The method of claim 6, wherein assessing the 
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effectiveness of the security rule comprises determining a rate of improper requests 
prevented. 

9. (Currently Amended) The method of claim 1, where providing at least one request to 
access [[a]]the resource comprises an application program supplying the at least one request 
to access [[a]]the resource. 

10. (Currently Amended) The method of claim 1, where supplying at least one request to 
access [[a]]the resource comprises capturing at least one request to access [[a]]the resource 
before supplying the at least one request to access [[a]] the resource. 

1 1 . (Currently Amended) The method of claim 1 0, where r fall the actual reference 
monitor performs the capture of the at least one request to access [[a]]the resource. 

12. (Currently Amended) The method of claim 11, where the actual reference monitor 
that performs the capture of the at least one request to access [[a]]the resource is the same 
type of reference monitor as the reference monitor whose operations are recreated by the 
reference monitor simulator. 

13. (Currently Amended) The method of claim 1 0, where the captured at least one 
request to access [[a]]the resource is an improper request. 

14. (Previously Presented) The method of claim 13, where an improper request 
comprises a request issued by an application in response to one of, a virus, and a 
buffer overrun attack. 

15. (Currently Amended) The method of claim 10, where the captured at least one 
request is modified prior to supplying the at least one request to access [[a]]the resource. 

16. (Previously Presented) The method of claim 15, where the modification is 
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performed by a user. 

17. (Currently Amended) The method of claim 6, where an electronic file system stores 
the at least one security rule, and 

where assessinq assessing the effectiveness of the at least one security rule 
comprises the reference monitor simulator accessing the security rule in the electronic file 
system in response to receiving the at least one request to access [[a]]the resource. 

18. (Previously Presented) The method of claim 1, where the at least one parameter 
provided to the reference monitor simulator comprises at least one of a system clock, a 
wrapper function, and a timer event. 

19. (Previously Presented) The method of claim 1, comprising: 
maintaining statistics on the operation of the reference monitor simulator. 

20. (Currently Amended) The method of claim 19, wherein the statistics include at least 
one of, the number of requests per resource, number of total requests, type of request per 
resource, total of each type of request, number of queries, number of callbacks, number of 
requests allowed compared to number of requests expected, and number of requests 
prevented compared to number of prevented requests expected. 

21. -40. (Canceled) 

41. (Currently Amended) A system for providing a reference monitor simulator 
for simulating the operations performed by a reference monitor, the system 
comprising: 

one or more processors; 

a definer component to define at least one security rule specifying whether to 
allow or deny a request to access at [[-]] least one resource under a given set of 
circumstances, where the definer component is implemented in computer hardware; 
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a supplier component to supply at least one request to access a resource, where 
the supplier component is implemented in computer hardware; and 

an applier component to apply the at least one security rule in response to the at 
least one request to access [[a]]the resource to determine whether to allow or prevent the 
at least one request, where the applier component is implemented in computer hardware; 

and a control component to control the reference monitor simulator to operate at 
an accelerated rate as compared to an actual reference monitor by providing at least one 
parameter that defines a system environment in which the reference monitor simulator 
executes, where the control component is implemented in computer hardware, 

where the at least one parameter includes a time parameter, where the time 
parameter that controls one or more of, eliminating a time gap between trace requests, 
indicating that a time period between portions of a trace request has elapsed, and 
running a system clock faster than real-time, 

where the applier component and control component operate, at least in part, at 
the kernel level, and where the system is event-driven. 

42.- 45. (Canceled) 

46. (Previously Presented) The system of claim 41, comprising an assessor component 
to assess the effectiveness of the at least one security rule. 

47. (Previously Presented) The system of claim 46, where assessing the effectiveness 
of the security rule comprises determining at least one of, the number of improper access 
requests prevented, and the number of proper access requests allowed. 

48. (Previously Presented) The system of claim 46, where assessing the effectiveness 
of the security rule comprises determining a rate of improper requests prevented. 

49. (Previously Presented) The system of claim 41, comprising an application 
program to supply the supplier component with the at least one request to access \ fall the 
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resource. 

50. (Currently Amended) The system of claim 41, comprising a capture component 
to capture at least one request to access a before supplying the at least one request to 
access [[a]]the resource. 

51. (Previously Presented) The system of claim 50, where the capture component 
includes a second reference monitor. 

52. (Previously Presented) The system of claim 51, where the second reference 
monitor is a same type of reference monitor as the reference monitor whose 
operations are recreated by the reference monitor simulator. 

53. (Currently Amended) The system of claim 50, wherein the capture component 
captures at least one improper request to access [[a]]the resource. 

54. (Previously Presented) The system of claim 53, wherein an improper request 
comprises a request issued by an application in response to one of, a virus, and a 
buffer overrun attack. 

55. (Currently Amended) The system of claim 50, comprising a modification 
component to modify at least one captured request prior to supplying the at least 
one request to access [[a]]the resource. 

56. (Previously Presented) The system of claim 55, where the modification 
component takes input from a user. 

57. (Currently Amended) The system of claim 41, comprising an electronic file system 
that stores the at least one security rule, and where the applier component accesses 
the security rule in the electronic file system in response to receiving at least one 
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request to access [[a]]the resource. 

58. (Previously Presented) The system of claim 41, wherein the provider component 
provides at least one parameter to the reference monitor simulator which includes at least 
one of a system clock, a wrapper function, and a timer event. 

59. (Previously Presented) The system of claim 41, comprising: 

a statistics component to maintain statistics on the operation of the reference 
monitor simulator. 

60. (Previously Presented) The system of claim 59, where the statistics component 
maintains statistics that include at least one of, the number of requests per resource, number 
of total requests, type of request per resource, total of each type of request, number of 
queries, number of callbacks, number of requests allowed compared to number of requests 
expected, and number of requests prevented compared to number of prevented requests 
expected. 

61. (New) A computer- readable medium encoded with computer instructions, which 
when executed on a processor, perform a method of operating a reference monitor simulator 
to recreate operations performed by a reference monitor on a computer system, the method 
comprising: 

defining at least one security rule specifying whether to allow a request to access at 
least one resource; 

supplying at least one request to access a resource; 

applying the at least one security rule in response to the at least one request to 
access the resource to determine whether to allow the at least one request and to control 
whether access is granted to the resource; and 

controlling the reference monitor simulator to operate at an accelerated rate as 
compared to an actual reference monitor by providing at least one parameter that defines a 
system environment in which the reference monitor simulator executes, 
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wherein the at least one parameter includes a time parameter that controls one 
or more of, eliminating a time gap between trace requests, indicating that a time period 
between portions of a trace request has elapsed, and running a system clock faster than 
real-time, 

wherein the method being run, at least in part, as an event-driven kernel process. 

62. (New) The computer-readable medium of claim 61, further comprising 
instructions, which when executed on the processor, perform: 

assessing the effectiveness of the at least one security rule. 

63. (New) The computer- readable medium of claim 62, wherein assessing the 
effectiveness of the security rule comprises determining at least one of, the number of 
improper access requests prevented, and the number of proper access requests allowed. 

64. (New) The computer-readable medium of claim 62, wherein assessing the 
effectiveness of the security rule comprises determining a rate of improper requests 
prevented. 

65. (New) The computer- readable medium of claim 6 1 , wherein providing at least one 
request to access the resource comprises an application program supplying the at least 
one request to access the resource. 

66. (New) The computer-readable medium of claim 6 1 , wherein supplying at least one 
request to access the resource comprises capturing at least one request to access the 
resource before supplying the at least one request to access the resource. 

67. (New) The computer-readable medium of claim 66, wherein the actual reference 
monitor performs the capture of the at least one request to access the resource. 

68. (New) The computer-readable medium of claim 67, wherein the actual reference 
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monitor that performs the capture of the at least one request to access the resource is the 
same type of reference monitor as the reference monitor whose operations are recreated 
by the reference monitor simulator. 

69. (New) The computer-readable medium of claim 66, wherein the captured at least one 
request to access the resource is an improper request. 

70. (New) The computer-readable medium of claim 69, wherein an improper request 
comprises a request issued by an application in response to one of a virus, and a 
buffer overrun attack. 

71. (New) The computer-readable medium of claim 66, wherein the captured at least 
one request is modified prior to supplying the at least one request to access the 
resource. 

72. (New) The computer-readable medium of claim 7 1 , wherein the modification is 
performed by a user. 

73. (New) The computer- readable medium of claim 62, wherein an electronic file system 
stores the at least one security rule, and 

wherein assessing the effectiveness of the at least one security rule comprises the 
reference monitor simulator accessing the security rule in the electronic file system in 
response to receiving the at least one request to access the resource. 

74. (New) The computer-readable medium of claim 61, wherein the at least one 
parameter provided to the reference monitor simulator comprises at least one of a 
system clock, a wrapper function, and a timer event. 

75. (New) The computer-readable medium of claim 69, further comprising instructions, 
which when executed on the processor, perform: 
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maintaining statistics on the operation of the reference monitor simulator. 

76. (New) The computer-readable medium of claim 75, wherein the statistics include 
at least one of: the number of requests per resource, number of total requests, type of request 
per resource, total of each type of request, number of queries, number of callbacks, number 
of requests allowed compared to number of requests expected, and number of requests 
prevented compared to number of prevented requests expected. 
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